-------------- fw-ipf.conf ------------------------------------------------
# 
# Rule 0(eth1)
# Anti-spoofing rule
# 
block in   log  quick on eth1  from 192.0.2.1  to any 
block in   log  quick on eth1  from 10.1.1.1  to any 
block in   log  quick on eth1  from 10.1.1.0/24  to any 
# 
# Rule 0(lo)
# allow everything on loopback
# 
pass  in   quick on lo  from any  to any 
pass  out  quick on lo  from any  to any 
# 
# Rule 0(global)
# ssh access to firewall
# 
pass  in   quick proto tcp  from 10.1.1.0/24  to 192.0.2.1 port = 22 keep state 
pass  in   quick proto tcp  from 10.1.1.0/24  to 10.1.1.1 port = 22 keep state 
# 
# Rule 1(global)
# firewall uses DNS server on LAN
# 
pass  out  quick proto tcp  from 192.0.2.1  to 10.1.1.0/24 port = 53 keep state 
pass  out  quick proto tcp  from 10.1.1.1  to 10.1.1.0/24 port = 53 keep state 
pass  out  quick proto udp  from 192.0.2.1  to 10.1.1.0/24 port = 53 keep state 
pass  out  quick proto udp  from 10.1.1.1  to 10.1.1.0/24 port = 53 keep state 
# 
# Rule 2(global)
# 'masquerading' rule
# 
pass  in   quick proto icmp  from 10.1.1.0/24  to any keep state 
pass  in   quick proto tcp  from 10.1.1.0/24  to any keep state 
pass  in   quick proto udp  from 10.1.1.0/24  to any keep state 
pass  in   quick  from 10.1.1.0/24  to any 
pass  out  quick proto icmp  from 10.1.1.0/24  to any keep state 
pass  out  quick proto tcp  from 10.1.1.0/24  to any keep state 
pass  out  quick proto udp  from 10.1.1.0/24  to any keep state 
pass  out  quick  from 10.1.1.0/24  to any 
# 
# Rule 3(global)
# 'catch all' rule
# 
block in   log  quick  from any  to any 
block out  log  quick  from any  to any 
# 
# Rule fallback rule
#    fallback rule 
# 
block in   quick  from any  to any 
block out  quick  from any  to any 


-------------- fw-nat.conf ------------------------------------------------
# 
# Rule  0(NAT)
# 
# 
map eth1 from 10.1.1.0/24 to 0.0.0.0/0 -> 192.0.2.1/32   portmap tcp/udp auto 
map eth1 from 10.1.1.0/24 to 0.0.0.0/0 -> 192.0.2.1/32